exploitDog

CVE-2025-62608

Опубликовано: 21 нояб. 2025

Источник: nvd

CVSS3: 9.1

EPSS Низкий

Описание

MLX is an array framework for machine learning on Apple silicon. Prior to version 0.29.4, there is a heap buffer overflow in mlx::core::load() when parsing malicious NumPy .npy files. Attacker-controlled file causes 13-byte out-of-bounds read, leading to crash or information disclosure. This issue has been patched in version 0.29.4.

Ссылки

https://github.com/ml-explore/mlx/pull/1
Issue Tracking
Patch
https://github.com/ml-explore/mlx/pull/2
Issue Tracking
Patch
https://github.com/ml-explore/mlx/security/advisories/GHSA-w6vg-jg77-2qg6
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:ml-explore:mlx:*:*:*:*:*:*:*:*

Версия до 0.29.4 (исключая)

EPSS

Процентиль: 22%

0.00074

Низкий

9.1 Critical

CVSS3

Дефекты

CWE-122

Связанные уязвимости

GHSA-w6vg-jg77-2qg6

github

3 месяца назад

MLX has heap-buffer-overflow in load()

EPSS

Процентиль: 22%

0.00074

Низкий

9.1 Critical

CVSS3

Дефекты

CWE-122